On 30 June 2011 15:50, Thomas Mortagne <thomas.mortagne(a)xwiki.com> wrote:
On Thu, Jun 30, 2011 at 09:22, Paul Harris
<harris.pc(a)gmail.com> wrote:
On 30 June 2011 15:15, Paul Harris
<harris.pc(a)gmail.com> wrote:
>
> And what is worse, I discovered by accident that the Unregistered User
can
access
the space!
For example, an unregistered user can access the /xwiki/Admin/RunQuery
page, which could be used to run queries directly on the database, for
example
select * from xwikipreferences
further to this,
I wanted to try and restrict access to this Admin space.
I set DENY access for all rights, for the "Unregistered User", and for
XWikiAllGroup. (so, two rows of red-crosses)
There are no other ticks or crosses in any other rows...
Yet, my user "PaulHarris" still has access to the Admin space! Why?
See attached, screenshot from the "Rights Check Tool",
Clearly you can see that the group is denied access, yet the user has
ALLOW
access... how can that be, nothing is ticked?
How can a missing tick
override a big red NO setting?
This mailing list does not allow attachment files. If you found a bug
create an issue on
http://jira.xwiki.org with all details to reproduce
it.
The attachment was of a table...
Space Admin
Right Allow Users Groups view,comment,edit,delete,admin DenyXWiki.XWikiGuest
view,comment,edit,delete,admin Deny XWiki.XWikiAllGroup
Group or User VIEW COMMENT EDIT ADMIN *User XWiki.PaulHarris* true
truetruetrue
can you see the html table?
thanks,
Paul